Privilege Reference

In the Coveo Cloud privilege system, each domain can be associated to one or more access levels to form a privilege, which allows an API key or a group of users to perform certain operations in the Coveo Cloud administration console (see Understanding Privileges and Navigating the Privileges Tab).

However, although many domains offer a View and an Edit access level, the abilities represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as Allowed or Push. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Cloud V2 administration console, domains of privilege are grouped by service, and this page uses the same arrangement. Use the In This Article menu on the right-hand side of the page to browse the services and domains.

The operation of granting privileges is not to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. When allowed to delegate powers, you should have a good understanding of how the Coveo Cloud privilege system works and be well aware of the implications of each choice you make. In this regard, Coveo strongly recommends thoroughly reading its privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, i.e., granting just enough privileges for the grantee to perform their tasks (see Privilege Management and Principle of Least Privilege).

In the tables below, the typical grantees associated to a privilege are mostly the built-in groups that are granted this access level by default (see Built-In Groups). Members of the Administrators group are always granted the highest access level. When API keys appears in the Typical grantee column, it indicates that the corresponding privilege is frequently granted to an API key so that an external application can communicate with Coveo Cloud.

Analytics Service

Administrate Domain

Access level	Grantee abilities	Typical grantees
Allowed	Manage the organization usage analytics data: Add and delete test usage analytics data in the account Edit, get, delete, and disable the organization account Define IP addresses whose events are flagged as internal (see Administration API - Version 15 and Internal Events) This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well.	Administrators API keys

Analytics Data Domain

Access level	Grantee abilities	Typical grantees
View	View reports (see Managing Usage Analytics Reports) View dimensions (see Managing Dimensions on Custom Metadata) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters) View usage analytics data exports (see Managing Data Exports) View Coveo Machine Learning models (see Coveo Machine Learning Models)	Analytics managers Analytics viewers Relevance managers
Push	Send analytics events to the Coveo usage analytics service (see Manage API Keys)	OAuth tokens, API keys, and search tokens assigned to a process such as a search interface
Push and view	View reports (see Managing Usage Analytics Reports) View dimensions (see Managing Dimensions on Custom Metadata) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters) View usage analytics data exports (see Managing Data Exports) View Coveo Machine Learning models (see Coveo Machine Learning Models) Send analytics events to the Coveo usage analytics service (see Manage API Keys)	Administrators

Data Exports Domain

The Data exports domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).

Access level	Grantee abilities	Typical grantees
View	View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Managing Data Exports)
Edit	Add, edit, or delete analytics data exports from the specified user visits (see Managing Data Exports) Review user visits (see Reviewing User Visits With the Visit Browser)	Administrators Analytics managers Analytics viewers Relevance managers

Delete User Data Domain

Access level	Grantee abilities	Typical grantees
Allowed	Delete usage analytics user data This privilege is especially potent since grantees can delete usage analytics user data. This can break existing dashboards and reports and also render some data sets inaccurate.	Administrators API keys

Dimensions Domain

The Dimensions domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).

Access level	Grantee abilities	Typical grantees
View	View dimensions (see Managing Dimensions on Custom Metadata). View reports (see Managing Usage Analytics Reports) View named filters (see Managing Named Filters) View permission filters (see Managing Permission Filters)	Analytics viewers
Edit	Add, edit, or delete dimensions created by Coveo Cloud organization members (see Managing Dimensions on Custom Metadata).	Administrators Analytics managers

Impersonate Domain

Access level	Grantee abilities	Typical grantees
Allowed	Allow a custom process or bot to push usage analytics events with different identities.	Administrators API keys

Incoherent Events Domain

Access level	Grantee abilities	Typical grantees
View	View incoherent events (see Reviewing Incoherent Usage Analytics Events)	Administrators

Metric Alerts Domain

Access level	Grantee abilities	Typical grantees
View	Edit	View metric alerts (see Reviewing Usage Analytics Metric Alerts)	Dismiss and reactivate metric alerts (see Reviewing Usage Analytics Metric Alerts)	Administrators	Administrators

Named Filters Domain

The Named filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level	Grantee abilities	Typical grantees
View	View named filters (see Managing Named Filters)	Analytics viewers Users
Edit	Add, edit, or delete named filters (see Managing Named Filters)	Administrators Analytics managers Relevance managers

Permission Filters Domain

The Permission filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level	Grantee abilities	Typical grantees
View	View permission filters restricting the usage analytics data that analysts can review in reports (see Managing Permission Filters) Without the View access level, you cannot see the permissions filters that are assigned to your identity in reports.	Analytics viewers Analytics managers Relevance managers Users
Edit	Add, edit, or delete permission filters (see Managing Permission Filters) The Edit access level is ineffective without the View access level on the Groups domain (see Groups Domain).	Administrators

Reports Domain

The Reports domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level	Grantee abilities	Typical grantees
View	View usage analytics reports (see Reviewing and Managing Dashboards and Reviewing and Managing Usage Analytics Explorers)	Analytics viewers
Edit	Add, edit, or delete usage analytics reports (see Managing Usage Analytics Reports) The Edit access level is ineffective without the Allowed access level on the Administrate domain (see Administrate Domain).	Administrators Analytics managers Relevance managers

Suggest Queries Domain

Access level	Grantee abilities	Typical grantees
Allowed	Allow a process such as a search interface to receive query suggestions from the Coveo Usage Analytics service (see About Usage Analytics Service Query Suggestions)	Administrators API keys

View All Reports Domain

Access level	Grantee abilities	Typical grantees
Allowed	View all reports, regardless of report accesses (see Managing Usage Analytics Report Access in Reports). Members that do not have this access level can only review the reports they are explicitly allowed to access. This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they would not be allowed to access otherwise.	Administrators Analytics managers

Content Service

Extensions Domain

Access level		Grantee abilities	Typical grantees
View		View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).
Custom¹	View	View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).
Custom¹	Edit	Add code snippets to apply transformations to included items such as adding or modifying metadata (see Manage Extensions). It is recommended to grant this privilege to developers only.
Edit		Add code snippets to apply transformations to included items such as adding or modifying metadata (see Manage Extensions). It is recommended to grant this privilege to developers only.	Administrators Content managers

Note 1: See Understanding the Custom Access Level.

Fields Domain

Access level	Grantee abilities	Typical grantees
View	View fields and field configuration (see Manage Fields )	Users
Edit	Add, edit, or delete fields (see Manage Fields ) Add, update, or delete fields in batches (see Creating Fields)	Administrators API keys Content managers

Logical Indexes Domain

The privileges of this domain will be required to use an upcoming feature. Granting these privileges to groups of users does not give them any additional capabilities yet.

Security Identities Domain

The Security identities domain access levels are ineffective without the View access level on the Security identity providers domain (see Security Identity Providers Domain).

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View the permissions and effective permissions on Coveo Cloud organization items (see Review Item Properties) View security identities and their status inside each security provider
Edit	Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting this access level to groups of users does not give them any additional capabilities.	Administrators

Security Identity Providers Domain

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View security identities and their status inside each security provider
Edit	Refresh security identity providers (see Refresh a Security Identity Provider and Refresh All Security Identities) Edit security identity provider refresh schedules (see ) Edit provider JSON configuration (see Manage Advanced Security Identity Provider Parameters)	Administrators

Sources Domain

To review source content in the Content Browser, you must have the Allowed access level on the Execute queries domain (see Inspect Items With the Content Browser and Execute Queries Domain).
Unlike for other resources, the ability to create sources can be granted without the Edit access level. You can therefore grant a group or API key the View all or Custom access level for the Sources domain and check the Can Create checkbox to allow users to create resources in this domain.

Access level		Grantee abilities	Typical grantees
View all		View all sources (see Manage Sources) View configuration of all sources View all source logs (see Log Browser) Subscribe to source notifications (see User Notifications)	Users
Custom¹	View	View source (see Manage Sources) View source configuration View source logs (see Log Browser) Subscribe to source notifications (see User Notifications)	API keys
Custom¹	Edit	Edit or delete specific sources (see Add or Edit a Source) Edit specific source refresh schedules (see Edit a Source Schedule) Edit specific source mappings (see Manage Source Mappings) Launch, pause, resume, and cancel specific source updates (see Refresh, Rescan or Rebuild Sources) Use the push API to send content to Coveo Cloud (see Push API) Subscribe to source notifications (see User Notifications)	API keys
Edit all		Add all sources (see Add or Edit a Source) Edit or delete all sources (see Add or Edit a Source) Edit all source refresh schedules (see Edit a Source Schedule) Edit all source mappings (see Manage Source Mappings) Launch, pause, resume, and cancel all source updates (see Refresh, Rescan or Rebuild Sources) Use the push API to send content to Coveo Cloud (see Push API) Subscribe to source notifications (see User Notifications)	Administrators Content managers

Note 1: See Understanding the Custom Access Level.

Machine Learning Service

Models Domain

You cannot view and edit Coveo Machine Learning models without the following access levels:

View access level on the Analytics data domain (see Analytics Data Domain)
View access level on the Dimensions domain (see Dimensions Domain)
View and Edit access levels on the Query pipelines domain (see Query Pipelines Domain)

Access level	Grantee abilities	Typical grantees
View	Review the list of Coveo Machine Learning models inside the organization query pipelines (see Manage Models)
Edit	Add, edit, or delete query pipeline models, and thus optimize search results relevance and search experience in general (see Managing Coveo Machine Learning Automatic Relevance Tuning Models in a Query Pipeline, Managing Coveo Machine Learning Query Suggestions Models in a Query Pipeline, and Managing Coveo Machine Learning Event Recommendations Models in a Query Pipeline)	Administrators Relevance managers

Organization Service

API Keys Domain

This domain is only available when configuring groups, as API keys cannot be granted the privilege to view or edit other API keys (see Manage Groups).

Access level		Grantee abilities	Typical grantees
View all		View in read-only mode the configuration of all API keys (see Manage API Keys).	Content managers Relevance managers
Custom¹	View	View in read-only mode the configuration of specific API keys (see Manage API Keys).
Custom¹	Edit	Edit, delete, activate, and disable specific API keys (see Manage API Keys and Understanding the Custom Access Level)
Edit all		Add, edit, delete, activate, and disable all API keys (see Manage API Keys and Understanding the Custom Access Level)	Administrators

Note 1: See Understanding the Custom Access Level.

Activities Domain

Access level		Grantee abilities	Typical grantees
View		View all organization activities (see Review All Events Related to Coveo Cloud Administration Console Resources) A member with the View access level could see activities from administration console pages for which they are not granted any access levels.	Content managers Relevance managers
Edit		Send custom activities to Coveo Cloud V2 (see Add or Edit a Push Source)	Administrators API keys

Elasticsearch Indexes Domain

This domain is only available in organizations with an Elasticsearch index (see License).

Access level		Grantee abilities	Typical grantees
View		View index status (see Index Status) View index details (see Review Index Details)
Edit		Add an index (see Add an Index) Edit the JSON configuration of an index (see Edit an Index JSON Configuration)	Administrators

Groups Domain

Grant the Edit or Edit all access level for the Groups domain only to a few people, ideally the authority in your company that manages access rights in corporate systems.

Access level		Grantee abilities	Typical grantees
View all		View all groups, including their privileges (see Manage Groups) View organization members (see Manage Members)	Analytics managers
Custom¹	View	View groups, including their privileges (see Manage Groups)	Content managers Relevance managers² Users³
Custom¹	Edit	Copy, edit, or delete groups and members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit group member privileges (see Privileges Tab) Send invitations to users (see Manage Groups, and Manage Members)	Relevance managers² Users³
Edit all		Copy, edit, or delete all groups and their members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit privileges of all groups (see Privileges Tab) Send invitations to users (see Manage Groups and Manage Members)	Administrators

Note 1: See Understanding the Custom Access Level.

Note 2: By default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

Note 3: By default, members of the Users built-in group can edit this group only. This allows them to invite other people in the Users group, but not in other groups.

Notifications Domain

Access level		Grantee abilities	Typical grantees
View		View organization notifications (see Manage Notifications)
Edit		Edit and delete organization notifications (see Manage Notifications)	Administrators

On-Premises Organization Domain

The privileges of this domain are required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and Manage API Keys). Granting these privileges to groups of users does not give them any additional capabilities.

Organization Domain

Access level Grantee abilities Typical grantees

View

Access level	Grantee abilities	Typical grantees
View	Access the Coveo Cloud administration console¹ (see Minimum Privilege and Coveo Cloud V2 Administration Console) Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2): `Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.` View the organization status and license type (see License)	Analytics managers Analytics viewers Content managers Relevance managers Users
Edit	Edit the organization display name and contact (see Organization Information) Delete the organization (see Organization Information) Allow Coveo Professional Services access to the organization (see Organization Information)	Administrators

Access the Coveo Cloud administration console¹ (see Minimum Privilege and Coveo Cloud V2 Administration Console)

Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2):

Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.
View the organization status and license type (see License)

Analytics managers
Analytics viewers
Content managers
Relevance managers
Users

Edit

Edit the organization display name and contact (see Organization Information)
Delete the organization (see Organization Information)
Allow Coveo Professional Services access to the organization (see Organization Information)

Administrators

Note 1: This ability only applies to groups of users and is irrelevant for API keys.

SAML Identity Provider Domain

Access level		Grantee abilities	Typical grantees
View		View SAML single sign-on settings (see Coveo Cloud V2 SAML SSO)
Edit		Configure SAML single sign-on for the organization and edit the single sign-on settings	Administrators

Snapshots Domain

The privileges of this domain will be required to use an upcoming feature. Granting these privileges to API keys or groups does not give them any additional capabilities yet.

Search Service

Execute Queries Domain

Access level	Grantee abilities	Typical grantees
Allowed	For organization members and API keys to send queries and get search results in search pages connected to their Coveo Cloud organization (see Searching with Coveo Cloud).	Administrators API keys Content managers Relevance managers Users

Impersonate Domain

Access level	Grantee abilities	Typical grantees
Allowed	Obtain a search token for a search interface with secured content to perform queries with the end-user identity and return only results the user is authorized to see. This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. Grantees could therefore access sensitive items that they cannot normally access in the original repositories.	Administrators API keys

Modify Authentication Provider Domain

Access level	Grantee abilities	Typical grantees
Allowed	Manage authentication for secured sources such as when they are protected with SharePoint claims-based identities.	Administrators API keys

Query Pipelines Domain

You cannot view and edit Coveo Machine Learning models without the View access level on the Models (requires the Edit access level to manage models), Analytics data, and Dimensions domains (see Models Domain).

Access level		Grantee abilities	Typical grantees
View all		View query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines) View [query pipeline rules](/en/236/) View query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs) View A/B tests (see Managing A/B Tests)
Custom¹	View	View query pipeline (see What Is a Query Pipeline? and Managing Query Pipelines) View [query pipeline rule](/en/236/) View query pipeline rule condition (see Managing Query Pipeline Rules and Rule Conditions From Tabs) View A/B test (see Managing A/B Tests)
Custom¹	Edit	Edit or delete specific query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines) Edit or delete specific query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Edit or delete specific query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Edit or delete specific A/B tests (see Managing A/B Tests)
Edit all		Optimize results relevance and search experience in general: Add, edit, or delete all query pipelines (see What Is a Query Pipeline? and Managing Query Pipelines) Add, edit, or delete all query pipeline rules (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete all query pipeline rule conditions (see Managing Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete all A/B tests (see Managing A/B Tests)	Administrators Relevance managers

Salesforce Index Configuration Domain

Access level	Grantee abilities	Typical grantees
View	Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.	Administrators
Edit

Access level

Grantee abilities

Typical grantees

View

Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.

Administrators

Edit

Search Pages Domain

Access level		Grantee abilities	Typical grantees
View		Access the search pages hosted by the Coveo Cloud organizations of which a user is a member	Users
Edit		Add or delete hosted search pages (see Manage Search Pages) Edit hosted search pages, i.e., Customize search page interfaces (see Customize the Interface of a Search Page) Edit search page configurations (see Manage Search Pages)	Administrators

View All Content Domain

Access level		Grantee abilities	Typical grantees
Allowed		Browse all the content of a Coveo Cloud organization index, and thus be able to troubleshoot search issues (see Inspect Items With the Content Browser). This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they cannot normally access in the original repositories.	Administrators